PHP :: Bug #29886 :: segment fault when processing curl output with "wrapper-registered" stream

Bug #29886

segment fault when processing curl output with "wrapper-registered" stream

Submitted:

2004-08-30 02:08 UTC

Modified:

2005-05-18 16:16 UTC

Votes:	2
Avg. Score:	4.5 ± 0.5
Reproduced:	1 of 1 (100.0%)
Same Version:	0 (0.0%)
Same OS:	0 (0.0%)

From:

public at grik dot net

Assigned:

Status:

Closed

Package:

cURL related

PHP Version:

5CVS-2004-08-30 (dev)

OS:

Linux (not FreeBSD)

Private report:

CVE-ID:

None

View Developer Edit

Welcome back! If you're the original bug submitter, here's where you can edit the bug or add additional notes.
If you forgot your password, you can retrieve your password here.

Password:

Status:
Package:
Bug Type:
Summary:
From:	public at grik dot net
New email:
PHP Version:		OS:

New Comment:

[2004-08-30 02:08 UTC] public at grik dot net

Description:
------------
I register a wrapper, create a stream and pass the pointer to the curl_setopt to process CURL output.
When amount of data returned by CURL exeeds 8192 bytes (size of the CURL buffer), PHP ends with Segmentation fault.

I could not reach the crash using fwrite().

Similar problem was in PHP 4.3.3, in 4.3.7 everything works fine.
I detected this problem again in 5.0.0 and replicated it in the latest stable CSV.

I do not know if it happens upon shutdown and if it is relevant to bug #29358. This happens with CURL only.

Reproduce code:
---------------
The sample code can be found at:
http://www.grik.net/sample.phps

Can be run form command line:
php -f sample.php

Expected result:
----------------
In PHP 4.3.7 this script would output the amount of bytes obtained from CURL:

8192
8192
...

Actual result:
--------------
In PHP 5.0.0:

8192
8192
Segmentation fault

Backtrace (I am not enough good with gdb, could not locate):

(gdb) bt
#0  0x081f714a in _zval_copy_ctor (zvalue=0x8344684,
    __zend_filename=0x8273780 "/usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c",
    __zend_lineno=3001) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_variables.c:136
#1  0x08227ab6 in zend_send_by_var_helper (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3001
#2  0x08221824 in zend_send_var_handler (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3061
#3  0x0821cb76 in execute (op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
#4  0x081ed157 in zend_call_function (fci=0xbfffb370, fci_cache=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:835
#5  0x081ec1a9 in call_user_function_ex (function_table=0x0, object_pp=0x82e5f00,
    function_name=0xbfffb400, retval_ptr_ptr=0xbfffb3fc, param_count=1, params=0xbfffb3f0,
    no_separation=0, symbol_table=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:550
#6  0x081cd58c in php_userstreamop_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192)
    at /usr/src/web/php5-STABLE-200408292230/main/streams/userspace.c:459
#7  0x081c539d in _php_stream_write_buffer (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:889
#8  0x081c561f in _php_stream_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:1000
#9  0x081c7c66 in stream_cookie_writer (cookie=0x83446c4,
    buffer=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., size=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/cast.c:96
#10 0x42062019 in _IO_cookie_write () from /lib/tls/libc.so.6
#11 0x4206d09e in new_do_write () from /lib/tls/libc.so.6
#12 0x4206d036 in _IO_new_do_write () from /lib/tls/libc.so.6
#13 0x4206d7b8 in _IO_new_file_overflow () from /lib/tls/libc.so.6
#14 0x4206e220 in _IO_new_file_xsputn () from /lib/tls/libc.so.6
#15 0x42062a62 in fwrite () from /lib/tls/libc.so.6
#16 0x40027de3 in last_use () from /usr/lib/20040412/curl.so
#17 0x4064c139 in Curl_client_write (data=0x834c50c, type=1,
    ptr=0x834c7b8 ">\n The PHP Development Team would like to announce the immediate availability of <a href=\"/downloads.php\">PHP 5.0.1</a>.\n This is a maintenance release that in addition to many non-critical bug fixes "..., len=1448) at sendf.c:337
#18 0x40663fcf in Curl_httpchunk_read (conn=0x8344f3c,
    datap=0x834c7b8 ">\n The PHP Development Team would like to announce the immediate availability of <a href=\"/downloads.php\">PHP 5.0.1</a>.\n This is a maintenance release that in addition to many non-critical bug fixes "..., datalen=1448, wrotep=0xbfffb880) at http_chunks.c:186
#19 0x40660fd7 in Curl_readwrite (conn=0x8344f3c, done=0xbfffb8df "") at transfer.c:980
#20 0x40661f56 in Transfer (conn=0x8344f3c) at transfer.c:1480
#21 0x4066294a in Curl_perform (data=0x834c50c) at transfer.c:1985
#22 0x40663175 in curl_easy_perform (curl=0x834c50c) at easy.c:378
#23 0x4002ab43 in last_use () from /usr/lib/20040412/curl.so
#24 0x0822053b in zend_do_fcall_common_helper (execute_data=0xbfffbc20, opline=0x8348d90,
    op_array=0x834423c) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:2708
#25 0x08220caf in zend_do_fcall_handler (execute_data=0xbfffbc20, opline=0x8348d90, op_array=0x834423c)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:2840
#26 0x0821cb76 in execute (op_array=0x834423c)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
#27 0x081f9331 in zend_execute_scripts (type=8, retval=0x0, file_count=3)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend.c:1061
#28 0x081b3c77 in php_execute_script (primary_file=0xbfffe020)
    at /usr/src/web/php5-STABLE-200408292230/main/main.c:1629
#29 0x08229f73 in main (argc=3, argv=0xbfffe0b4)
    at /usr/src/web/php5-STABLE-200408292230/sapi/cli/php_cli.c:943
#30 0x42015574 in __libc_start_main () from /lib/tls/libc.so.6



(gdb) frame 0
#0  0x081f714a in _zval_copy_ctor (zvalue=0x8344684,
    __zend_filename=0x8273780 "/usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c",
    __zend_lineno=3001) at /usr/src/web/php5-STABLE-200408292230/Zend/zend_variables.c:136
136                             CHECK_ZVAL_STRING_REL(zvalue);

(gdb) frame 1
#1  0x08227ab6 in zend_send_by_var_helper (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3001
3001                    zval_copy_ctor(varptr);
(gdb) frame 2
#2  0x08221824 in zend_send_var_handler (execute_data=0xbfffb210, opline=0x8349e38, op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:3061
3061            return zend_send_by_var_helper(ZEND_OPCODE_HANDLER_ARGS_PASSTHRU);
(gdb) frame 3
#3  0x0821cb76 in execute (op_array=0x834b0e4)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute.c:1400
1400                    if (EX(opline)->handler(&execute_data, EX(opline), op_array TSRMLS_CC)) {
(gdb) frame 4
#4  0x081ed157 in zend_call_function (fci=0xbfffb370, fci_cache=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:835
835                     zend_execute(EG(active_op_array) TSRMLS_CC);
(gdb) frame 5
#5  0x081ec1a9 in call_user_function_ex (function_table=0x0, object_pp=0x82e5f00,
    function_name=0xbfffb400, retval_ptr_ptr=0xbfffb3fc, param_count=1, params=0xbfffb3f0,
    no_separation=0, symbol_table=0x0)
    at /usr/src/web/php5-STABLE-200408292230/Zend/zend_execute_API.c:550
550             return zend_call_function(&fci, NULL TSRMLS_CC);
(gdb) frame 6
#6  0x081cd58c in php_userstreamop_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192)
    at /usr/src/web/php5-STABLE-200408292230/main/streams/userspace.c:459
459             call_result = call_user_function_ex(NULL,
(gdb) frame 7
#7  0x081c539d in _php_stream_write_buffer (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:889
889                     justwrote = stream->ops->write(stream, buf, towrite TSRMLS_CC);
(gdb) frame 8
#8  0x081c561f in _php_stream_write (stream=0x83446c4,
    buf=0x40030000 "<!DOCTYPE HTML PUBLIC \"-//W3C//DTD HTML 4.01 Transitional//EN\">\n<html>\n<head>\n <title>PHP: Hypertext Preprocessor</title>\n <link rel=\"stylesheet\" href=\"http://static.php.net/www.php.net/style.css\" />\n"..., count=8192) at /usr/src/web/php5-STABLE-200408292230/main/streams/streams.c:1000
1000                    return _php_stream_write_buffer(stream, buf, count TSRMLS_CC);
(gdb)

Patches

Pull Requests

History

AllCommentsChangesGit/SVN commitsRelated reports

[2005-03-07 21:33 UTC] sniper@php.net

Please try using this CVS snapshot:

  http://snaps.php.net/php5-latest.tar.gz
 
For Windows:
 
  http://snaps.php.net/win32/php5-win32-latest.zip

I can't get it to crash..

[2005-03-08 09:35 UTC] public at grik dot net

Thank you, I'll try with the new version today.

[2005-03-08 10:44 UTC] derick@php.net

Set to feedback until real feedback has been provided.

[2005-03-16 01:00 UTC] php-bugs at lists dot php dot net

No feedback was provided for this bug for over a week, so it is
being suspended automatically. If you are able to provide the
information that was originally requested, please do so and change
the status of the bug back to "Open".

[2005-05-18 16:08 UTC] joel at joelstrellner dot com

I am having the exact same problem in version 5.0.4.  I have narrowed it down to curl, but I can't narrow it down any further.

I tried using CURLOPT_BUFFERSIZE to overcome it but I am not sure that it is even working.

I am pretty sure that it has to do with curl_multi_init and the related multi functions.

The exact same code using one connection at a time does not cause an error of any kind.

the options I am giving it are:
$conn[$i] = curl_init($url);
curl_setopt ($conn[$i], CURLOPT_BUFFERSIZE, 8192000);
curl_setopt ($conn[$i], CURLOPT_RETURNTRANSFER, 1);
curl_setopt ($conn[$i], CURLOPT_URL, "$url");
curl_setopt ($conn[$i], CURLOPT_USERAGENT, $user_agent);
if (($referer!=NULL) AND ($referer!='')) curl_setopt ($conn[$i], CURLOPT_REFERER, $referer);
curl_setopt ($conn[$i], CURLOPT_CONNECTTIMEOUT, $connecttimeout);
curl_setopt ($conn[$i], CURLOPT_TIMEOUT, $timeout);
curl_setopt ($conn[$i], CURLOPT_HEADER, 0);
curl_setopt ($conn[$i], CURLOPT_FOLLOWLOCATION, 1);
curl_setopt ($conn[$i], CURLOPT_MAXREDIRS, 3);
curl_setopt ($conn[$i], CURLOPT_FAILONERROR, 1);
curl_setopt ($conn[$i], CURLOPT_ENCODING, '');
curl_setopt ($conn[$i], CURLOPT_COOKIEJAR,"cookie.txt");
curl_setopt ($conn[$i], CURLOPT_COOKIEFILE,"cookie.txt");
curl_setopt ($conn[$i], CURLOPT_FOLLOWLOCATION,TRUE);
curl_setopt ($conn[$i], CURLOPT_SSL_VERIFYPEER, FALSE);
curl_setopt ($conn[$i], CURLOPT_SSL_VERIFYHOST, 1);
curl_multi_add_handle ($mh,$conn[$i]);

the error I am getting is a seg fault (11) then the script stops executing.

[2005-05-18 16:16 UTC] public at grik dot net

I found out that the bug was in the PHP stream wrapper - the segmentation fault arized on Linux platform.
That bug was recently fixed (thanx, Tony):
http://bugs.php.net/?id=32742

	php.net \| support \| documentation \| report a bug \| advanced search \| search howto \| statistics \| random bug \| login
go to bug id or search bugs for


Copyright © 2001-2025 The PHP Group All rights reserved.	Last updated: Sun May 11 18:01:27 2025 UTC